Last Updated: 14, 2023
This Privacy Policy details the data we collect through our ThreatDown solutions and why. We do not and will not sell your data to third parties. Our primary purpose in collecting your data is to be able to equip you with effective products and services that provide a more agile, dynamic response to new and unknown threats.
This Privacy Policy applies to Malwarebytes websites and products and describes how Malwarebytes collects, uses, shares and secures your personal information. It also describes your choices regarding use, access and correction of your personal information.
Please, if you have any questions or suggestions, don’t hesitate to contact us at privacy@malwarebytes.com.
Caution: Legalese ahead.
When do we collect your information? | |||
---|---|---|---|
We may collect your information: (1) when you license and use our software (“Software Collection”); (2) when you interact with certain portions of our website, such as our forums, blogs, and support center (“Website Collection”); (3) when you communicate or interact with us by email, chat, or otherwise (“Dialogue Collection”); and (4) when you apply to work for us (“Job Applicant Collection”) |
Simply
We collect your information when you use our software, website, or otherwise communicate with us.
|
What information do we collect? | |||
---|---|---|---|
We may collect both personal information and non-personal information. personal information is information that is either expressly provided by you, such as your name, or information that can be used either alone or in combination with other information to personally identify you, such as your email address, phone number, and user name. We may collect the following personal information from you: Contact Information (such as name, email address, mailing address, or phone number); Unique Identifiers (such as username and password used for authenticating your Malwarebytes accounts and products) and machine identification numbers, Internet protocol (IP) addresses,; Information about your business (such as company name, company size, business type) and; Information related to your usage of our products as described in the next section, below. Our service providers may collect billing information (credit card number and billing address) on our behalf to process orders.Non-personal information is all information that is not personal information or is information that was personal information but which we modify and/or aggregate with other data in order to make it Non-personal information. As is true of most websites, we gather certain information automatically. This information may include browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, clickstream data to analyze trends in the aggregate, and/or other metadata associated with your machine and usage activities and anonymously generated device identifiers and administer the site. |
Simply
There are two types of information We collect: personal and non-personal.
|
Software Collection – information collected when using our security software | |||
---|---|---|---|
User-Agent String
Each API communication coming from any of our client software identifies itself with a string that includes information about the software itself:
|
Why?
So we can manage your Malwarebytes product and ensure that it is up to date.
|
||
GeoIP Data
When we collect data from our client systems, we do not store IP address from which the request originates. However, we do use it to gather geographic information on the system calling in:
|
Why?
So our malware intelligence team can track malware and potentially unwanted program (“PUP”) outbreaks and patterns.
|
||
Functional Data
We collect data that is necessary for the functionality of the software or for our performance of providing the software to you. For example, we may need to collect system processes and behaviors in order to perform system rollback and recovery operations.
|
Why?
So our products are able to function as intended, including being able to detect and remediate malware and PUPs, and provide rollback and recovery operations.
|
||
Client Data
In addition to functional data, we collect client data from each program that describe the client environment (i.e., our software and the computer system it is running on). In this, we collect:
|
Why?
So we can gather performance data around our products and how they operate in relation to different hardware and software environments. By having this data, we can improve our products as well as optimize them for the various system configurations that our users are using.
|
||
Machine Identification Data
We identify each system by assigning each system with a Malwarebytes-generated distinct identifier that is created at install time.
|
Why?
So we are able to get an accurate count of our install base. We are also able to identify changes to an individual system over time, allowing us to recognize trends which are used for improving our products.
|
||
License Data
We collect data from products corresponding to the products’ applicable license state. These data also use a unique identifier. In this, we collect:
|
Why?
So we can remind you when your Malwarebytes subscription is about to expire or to determine the correct license type. We may use such license data in conjunction with other software collection to assist you in resolving licensing issues.
|
||
Malware and PUP Data
We collect data about the malware and PUPs that are detected by our products. We collect:
|
Why?
So our malware intelligence team can track malware and PUP outbreaks and improve the efficacy of Malwarebytes products.
|
||
Trial Data
When a client attempts to start a trial, we track it remotely in order to validate that the trial is allowed. For this information we use another unique system identifier. We collect:
|
Why?
So we can update your Malwarebytes products accurately and when they need it.
|
||
Exploit Data
In ThreatDown Anti-Exploit products we collect a complex data object for any exploit process which is blocked by the software. In this data we collect:
|
Why?
So our malware intelligence team can track exploit outbreaks and deepen its understanding of new exploit techniques.
|
||
Operating System User Account Name and Domain
In certain Malwarebytes business products providing brute-force attack protection, we collect user account names and domain information
|
Why?
So that you (as the customer) can see what credentials are being targeted during brute-force attacks
|
||
Port number(s) used for incoming connections.
In certain Malwarebytes business products providing brute-force attack protection, we collect user account names and domain information associated with connections to network port numbers, including, but not limited to, those associated with: remote desktop protocol, FTP, SQL, IMAP, POP3, SMTP.
|
Why?
So that you (as the customer) can see what ports are being used for connections by different protocols, and improve our products.
|
||
Mobile Application Data
When you download and use our Services, we automatically collect information on the type of device you use, operating system version, and the unique device identifier.We send you push notifications from time-to-time in order to update you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure you receive proper notifications, we will need to collect certain information about your device such as operating system and user identification information. We do not ask for, access or track any location-based information from your mobile device at any time while downloading or using our Mobile Apps or Services. We use mobile analytics software to allow us to better understand the functionality of our Mobile Software on your phone. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any personal information you submit within the mobile application. As part of our text message filtering functionality, our Mobile Software also collects text messages from senders who are not in your contacts, and analyzes these text messages to determine whether they are malicious. We only receive the sender information and the body of the message which is analyzed to determine if they contain malicious URLs or come from malicious senders; no information is provided about the recipient. Text messages that are malicious are retained for analysis by our researchers, however, all other text messages are discarded. To learn more please visit our knowledgebase article here |
Simply
We collect information that allows us to fight against malware and PUPs on your device and contact you if you allow us to send push notifications.
|
ThreatDown Cloud Storage Scanner (“CSS”) | |||
---|---|---|---|
See above “Software Collection – information collected when using our security software” for details regarding data collection | |||
Where you use CSS:
|
Why?
So that our products are able to function and perform your instructions.
|
Software Collection – information collected when using our Malwarebytes Privacy VPN software | |||
---|---|---|---|
License Data
As part of installation and activation of your Malwarebytes Privacy VPN application, we:Collect the key used to license the product; andGenerate a unique identifier.
|
Why?
So that we can activate your license, validate your account, and assist you in resolving licensing issues.
|
||
Software Version
We identify what version of the Malwarebytes Privacy VPN application you are running.
|
Why?
So that we can provide you with updates to the Malwarebytes Privacy VPN product.
|
||
Malwarebytes Privacy VPN’s WireGuard public key
Your Malwarebytes Privacy VPN application generates a cryptographic public/private key pair. We only receive the public key which is used to validate and establish a VPN connection. Your public/private key pair is periodically changed for increased security. |
Why?
So that your Malwarebytes Privacy VPN application is able to connect to the VPN service as allowed under the applicable device limit associated with your purchase.
|
||
The Malwarebytes Privacy VPN application does not collect or retain the following:
|
|||
|
Website and Dialogue Collection | |||
---|---|---|---|
As part of our Website Collection and Dialogue Collection we collect and we ask you to provide information about yourself including but not limited to:
|
Why?
Providing your data is optional, but it may be necessary for certain services, accessing content, such as whitepapers, news letters, webinars, or to receive customer support services. In such cases, if you do not provide your information, we may not be able to provide you with the requested services. You may agree to receive newsletters or promotional content when you opt to provide your information. You can unsubscribe at any time.
|
Job Applicant Collection | |||
---|---|---|---|
When you apply for a position at Malwarebytes, we ask you to provide information about yourself including, but not limited to:
|
Simply
We collect your information when you give it to us as part of a job application.
|
How do we collect your information? | |||
---|---|---|---|
Directly
Some information you (or someone acting on your behalf) provide to us directly. For example, when you post comments, ask questions in our blog, fill out a user profile, apply for a job, or voluntarily decide to grant us remote access to provide you with technical support. Also, we may collect and store all posted forum and blog information and user profiles and make them available for public viewing.
|
Simply
We collect your information when you give it to us or post in forums or blogs.
|
||
Cookies
Malwarebytes and its service providers collect information through the use of first-party and third-party “cookies” and other similar tracking technologies to analyze trends, administer the website, track users’ movements around the website, to market our products, and to gather demographic and regional information about our user base as a whole. Cookies are text files saved by your browser when you log into our software or services. We may use both session cookies and persistent cookies to identify that you have logged in, to tell us how and when you interact with our software or services, and to check aggregate usage and web traffic. Unlike persistent cookies, session cookies are deleted when you log off and close your browser. If you prefer, you can always change your browser options to stop accepting cookies or to prompt you before accepting cookies. However, if you do not accept cookies you may not be able to access the entirety of our software and services. |
Simply
We also collect your information using “cookies” and other similar tracking technologies when you visit our website. You can prevent this method of information collection if you like.
|
||
Account Registration
If you create an account with us through a third party like Facebook or Twitter (“SNS Accounts”) you may have to provide us with your user name or user ID so that we can authenticate your identity.
|
Simply
We collect your information when you create an account.
|
||
Software Functionality
Our software collects information about your use of the software as well as transfers of information between your computers that run the software and our servers. This is necessary to ensure our software is operating correctly and to confirm the status of your license of our software.
|
Simply
We collect information about your Malwarebytes license.
|
||
From Third Parties
From time to time, We may receive personal information about you, including your name, e-mail address, and other information from third party sources such as, distributors and resellers who sell our products and services to you, payment processors who process payments you make for purchasing our products and services, marketing partners, and public sources. These third parties have indicated that they have your consent or are otherwise legally permitted to disclose your personal information to us.
|
Simply
We collect information about your Malwarebytes purchases where you make them through third-parties.
|
How do we use personal information | |||
---|---|---|---|
We use personal information for the following purposes: providing you with information, products or services; providing support to you and responding to your requests; providing information about our products, services, events, or news, including newsletters and promotional messages; performing and enforcing any contract(s) between yourself and Malwarebytes, including billing and collections; to improve our products and services, including malware research, as well as our websites and present content to you; to market new and existing products to you; and as otherwise described to you when collecting your personal information or as otherwise allowed by applicable law. We will not use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice. Other than with respect to the exceptions below, we do not share personal information with third parties |
Simply
We use your information for providing you with our services. In certain situations, described below, we may share your personal information with a third party.
|
Exceptions | |||
---|---|---|---|
Website Analytics
Our servers automatically record Log Data information about how a user interacts with our software and services on our websites, including but not limited to our public website and our web-based management consoles. Log Data may include a user’s Internet Protocol (IP) address, browser type, operating system, web page that the user was visiting before accessing our server, search terms, and the pages or features of our software or services accessed by the user and the time spent there. Google Analytics provides us with the analysis of such data. Google’s privacy policy is available at http://www.google.com/policies/privacy.
|
Simply
Exception #1: We receive your website interaction information from Google for analytical purposes.
|
||
Service Providers
We may engage service providers to administer and provide our services. We may provide personal information to such service providers only for the purpose of performing services on our behalf, such as fulfilling orders and delivering updates, payment processing, providing customer service, sending marketing communications, conducting research and analysis, and providing cloud computing infrastructure. We require such service providers to agree not to disclose your personal information or use your personal information for any other purpose.For our cloud-based Software, we utilize Amazon Web Services for our infrastructure. With such infrastructure, you are able to benefit from Amazon Web Services Cloud Compliance security and privacy measures, including but not limited to ISO and SOC certifications. For more information on Amazon Web Services Cloud Compliance please visit https://aws.amazon.com/compliance/.
|
Simply
Exception #2: If we give your information to a service provider company, they won’t use your information outside of our business relationship.
|
||
Business Transactions
Information that we collect from users, including personal information, is considered a business asset. Accordingly, if we go out of business or enter bankruptcy, or if we are acquired, e.g., as a result of a transaction such as a merger, acquisition, or asset sale, your personal information may be disclosed or transferred to the third-party acquirer in connection with the transaction. You will be notified via email and/or a prominent notice on our website, of any change in ownership, uses of your personal information, and choice you may have regarding your personal information.
|
Simply
Exception #3: If someone buys us or we go bankrupt, your information may be transferred to someone else.
|
||
Governmental; Law Enforcement
We may disclose personal information to government agencies, law enforcement officials, and private parties as we, in our sole discretion, believe necessary: (1) to satisfy or comply with any applicable law, regulation or legal process; (2) to respond to lawful requests, including subpoenas, warrants or court orders; (3) to protect our property, rights and safety and the rights, property and safety of third parties or the public in general; and (4) to prevent or stop activity we consider to be illegal or unethical. In certain situations, Malwarebytes may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. |
Simply
Exception #4: If the government asks for your information, we may comply.
|
||
Consent
We may share your personal information with third-party sites or platforms, such as social networking sites, but only if you have expressly requested that we do so.Similarly, by posting profile, content, or other information, including personal information to a forum or blog, you indicate your consent to its public use. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. We will list you in our publicly accessible member directory on the forum website.We also display testimonials of satisfied customers on our websites in addition to other endorsements. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at privacy@malwarebytes.com.
|
Simply
Exception #5: If you post your information in one of our forums or on the blog, well, that’s public
|
Other Privacy Considerations | |||
---|---|---|---|
The Legal Bases for Using Personal Information
The General Data Protection Regulation (EU) 2016/679 (“GDPR”) effective May 25, 2018. The GDPR requires that a valid legal basis be used to process personal data. In certain countries, there are different legal bases that we rely on to use your personal information, namely
Performance of a contract
The use of your personal information may be necessary to perform the agreement you have with us. For example, to complete your purchase of your product, to register and maintain your account and to make sure that your product performs its functions in a secure way or to respond to your requests
Legitimate interests
We may use your personal information for our legitimate interests. For example, we rely on our legitimate interest to analyze and improve our products and the content on our websites, to send you notifications about software updates or information about products or to use your personal information for administrative, fraud detection or legal purposes
Legal obligation
We may use your personal information to comply with legal requirements, as further described in Exception 4, above
Consent
We may at times, request your consent to conduct certain actions with your personal information. When requesting your consent, we are transparent in ensuring you know what you are consenting to.
|
Simply
These are the legal bases we use for processing data subject to the GDPR.
|
||
California Residents
If you are California resident, you can find more information about your rights on our California Residents Privacy Notice Supplement.
|
Simply
California residents can learn more about their rights on our California Residents Privacy Notice Supplement.
|
||
Choice
We partner with a third-party service provider to display advertising on our website or to manage our advertising on other sites. Our third-party service provider may use cookies or similar technologies in order to provide you advertising based upon your browsing activities and interests. If you wish to opt out of interest-based advertising go to https://optout.networkadvertising.org/?c=1 [or if located in the European Union go to click https://www.youronlinechoices.eu/]. Please note you will continue to receive generic ads.You may sign-up to receive email or newsletter or other communications from us. By interacting with us, such as attending a webinar, attending our sponsored events or downloading content from our website, you may be added to our mailing list. If you would like to discontinue receiving this information, you may update your email preferences by using the “Unsubscribe” link found in emails we send to you or at your member profile on our website or by contacting us at privacy@malwarebytes.com.You may have the right to limit the use and disclosure of your personal information as required by the EU, UK, and Swiss Data Privacy Framework Principles , such as whether your personal information is disclosed to a third party or used for purposes materially different from the purpose for which the personal information was originally collected or subsequently authorized by you. If you wish to limit the use and disclosure of personal information in accordance with the EU, UK, and Swiss Data Privacy Framework Principles, please contact us using our online request form.
|
|||
Usage and Threat Statistics
You may opt out of usage and threat statistics collection in certain Malwarebytes products within the settings. Threat statistics collection includes detection samples and their corresponding statistics. Usage statistics includes behavior usage tracking. Do it in just a couple of clicks. To opt out please follow the instructions below
Using Malwarebytes for Home on Windows:
From the Navigation menu select SettingsScroll down to “Usage and Threat Statistics”Untick the box that reads “Anonymously help fight malware by providing usage and threat statistics”Usage and threat statistics collection will be disable
Using Malwarebytes for Android
From the Navigation menu select SettingsScroll down to the General sectionUntick the box that reads “Help us Anonymously”Usage and threat statistics collection will be disable
Using Malwarebytes for Mac:
Open Malwarebytes and click SettingsUncheck “Help fight malware by providing usage and threat statistics”Usage and threat statistics collection will be disable
Using Malwarebytes for iOS:
Open Malwarebytes and tap SettingsTurn off “Share anonymous telemetry”Whitelisted phone number and URL collection will be disabledYou may change your preferences at any time following the same steps.
|
Simply
We want to give you control to manage your data.
|
||
Security
We take commercially reasonable measures to protect personal information from unauthorized access, use, and disclosure. However, no method of transmitting information over the Internet or storing information is completely secure. Accordingly, we can’t guarantee the absolute security of your personal information.
|
Simply
We do what we reasonably can to protect your information
|
||
Retention
We will retain your personal information as needed to fulfill the purposes for which it was collected. We will retain and use your personal information as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements. Because these needs can vary for different data types in the context of different products or services, actual retention periods can vary significantly.
|
Simply
Our retention periods differ for each type of personal information, but we only retain such information to fulfill the purposes for which it was collected.
|
||
Links
Our website may contain links to other websites and services. Any information that you provide on or to a third-party website or service is provided directly to the owner of the website or service and is subject to that party’s privacy policy. Our Privacy Policy does not apply to such websites or services and we are not responsible for the content, privacy, or security practices and policies of those websites or services.
|
Simply
Our privacy policy doesn’t apply when you visit sites we link to.
|
||
Update or Delete your personal information
Upon request, Malwarebytes will provide you with information about whether we hold any of your personal information. You may access or modify the personal information associated with your use of our services at any time by signing into your Nebula or OneView console (as applicable) and updating your information. Alternatively, you may submit a data subject access request to access, modify, or delete (subject to applicable law) the personal information associated with your use of our services. If you want us to delete your personal information, your forum account, or your support account, please contact us at privacy@malwarebytes.com with your request. We will respond to your requests within a reasonable timeframe. We will delete your information as soon as possible; however, some information may remain in archived/backup copies for our records or as otherwise required by law. We may retain your information for as long as your account is active or as needed to provide you services, comply with our legal obligations, resolve disputes and enforce our agreements For our Partnerbytes Platform only:
Malwarebytes acknowledges that you have the right to access your personal information. Malwarebytes has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to the Malwarebytes’ Client (the data controller). If requested to remove data we will respond within a reasonable timeframe. In certain circumstances we may be required by law to retain your personal information or may need to retain your personal information in order to continue providing a service.
|
Simply
Subject to applicable laws, we’ll delete or modify your information if you ask.
|
||
International: EU – U.S. Data Privacy Framework, UK Extension to the EU – U.S. Data Framework, and Swiss – U.S. Data Privacy Framework
Your personal information may be transferred to, and maintained on, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide your personal information to us, we may transfer your personal information to the United States and process it there. If we transfer personal information which originates in the European Economic Area, Switzerland, and/or the United Kingdom to a country that has not been found to provide an adequate level of protection under applicable data protection laws, one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses. Malwarebytes complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set for by the U.S. Department of Commerce. As part of this process, Malwarebytes has certified to the U.S. Department of Commerce that, for transfers of personal information to the U.S., we will adhere to: (i) the EU-U.S. Data Privacy Framework Principles with regards to the processing of personal information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and (ii) the Swiss-U.S. DPF with regards to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles” or the “EU, UK, and Swiss Data Privacy Framework Principles”). All of Malwarebytes’s U.S. subsidiaries using the Malwarebytes brand name adhere to the DPF Principles. The Federal Trade Commission has jurisdiction over our compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF (collectively, the “DPF”). To learn more about the DPF and to view our certification, please visit the Data Privacy Framework Program’s website. If we receive personal information in the United States that is subject to the DPF Principles and subsequently transfer that personal information to a third party acting as an agent, we will remain liable under the DPF Principles if our agent processes such personal information in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage. Please note that we may be required to disclose your personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we will commit to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal information received in reliance on the DPF should first contact us using the contact Malwarebytes at Attn: Privacy (Legal), Malwarebytes, 3979 Freedom Circle, Fl 12, Santa Clara, CA 95054 USA. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we will further commit to refer unresolved complaints concerning our handling of personal information received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to JAMS Data Privacy Dispute Resolution Program, an independent dispute resolution provider located in the U.S. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit the JAMS EU-U.S. Data Privacy Framework website for more information or to file a complaint. The services of JAMS are provided at no cost to you. Under certain conditions, as more fully described in Pre-Arbitration Requirements of Annex I of the DPF Principles, you may invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. |
Simply
If you’re not in the U.S., we may transfer your information to the U.S. We participate in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.
|
||
Children
Our services are not directed to children under eighteen, and we do not knowingly collect personal information from children under thirteen. If we learn that we have collected personal information of a child under thirteen we will delete such information from our files as soon as possible, provided, however, that some information may remain in archived/backup copies for our records or as otherwise required by law.
|
Simply
We don’t knowingly collect information on children, and delete it if we inadvertently do collect it.
|
Revisions | |||
---|---|---|---|
We may modify and revise this Privacy Policy from time to time. If we make any material changes to this Privacy Policy, we will notify you of such changes by posting them on our website or by sending you an email or other notification prior to the change becoming effective. |
Simply
We’ll let you know if we revise our privacy policy. If we make a material change, we will let you know before the change takes place.
|
California Residents Privacy Notice | |||
---|---|---|---|
California Residents Privacy Notice Suplement |
Questions? Please contact us @ 3979 Freedom Circle, 12th Floor, Santa Clara, CA 95054 or via email at privacy@malwarebytes.com if you have any questions about our Privacy Policy